rustsec issues

cargo install cargo-audit ailes with invalid version 0 on git_proxy_options; class=Invalid (3)

2

I am on OpenBSD and had to update the system (git, cmake, etc) to install rust. However, after installation cargo update is failing: ``` pi4bsdm2% cargo install cargo-audit --features vendored-libgit2...

sandeep-gh

Fetching rustsec DB does not handle repo contention

Similar to the crate registry (see #489), it looks like fetching the rustsec DB is vulnerable to failing on the same race condition. We should support retries, whether inside rustsec...

epage

Offline mode

5

Thanks for a great project! It looks like cargo audit doesn't honor the offline flag and always try to fetch crates.io. On the other hand it continues running successfully after...

janderholm

The website should generate links to reference issues

1

https://rustsec.org/advisories/RUSTSEC-2020-0071.html At the bottom of this page at the references section, it should possibly generate a link to that issue (which would be `https://github.com/time-rs/time/issues/293`).

Milo123459

web

False-positive elimination (call graph analysis)

13

Shall cargo-audit, like [cargo-geiger](https://crates.io/crates/cargo-geiger), track which functions are used and which are unused by the target crate and filter out vulnerabilities in unreferenced functions? Otherwise there will be a stream...

vi

enhancement

cargo-audit crate

Lint: warn about versions in the distant future being affected

Sometimes people specify patched versions with an upper bound, e.g. using the `^` operator, so that all currently existing versions are covered, but versions released in the distant future would...

Shnatsel

Prerlease version comparisons bug: old advisories incorrectly applied to new versions

3

Running `cargo audit` with recently published _actix-web_ `4.0.0-beta.1` is producing errors due to older advisories. Presumably this is a version comparison bug? Update: Caused by: https://github.com/RustSec/rustsec-crate/issues/218 ## Reproduce ```toml #...

tl-alex-butler

No warning if Cargo.lock is out of date

7

```console > cargo new foo && cd foo Created binary (application) `foo` package > cargo audit Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 251 security advisories (from /home/wim/.cargo/advisory-db) Updating crates.io index...

Nemo157

Lint: if references mention GHSA or CVE, require their presence in `aliases`

As of right now we have some advisories linking to GHSA but not specifying it in `aliases` field. I've opened a PR to fix that manually (https://github.com/RustSec/advisory-db/pull/937), but it would...

Shnatsel

Lint: check that at least one version from crates.io matches

This should be pretty straightforward - all the infrastructure is already in place.

Shnatsel

rustsec
rustsec copied to clipboard

Metadata

cargo install cargo-audit ailes with invalid version 0 on git_proxy_options; class=Invalid (3)

Fetching rustsec DB does not handle repo contention

Offline mode

The website should generate links to reference issues

False-positive elimination (call graph analysis)

Lint: warn about versions in the distant future being affected

Prerlease version comparisons bug: old advisories incorrectly applied to new versions

No warning if Cargo.lock is out of date

Lint: if references mention GHSA or CVE, require their presence in `aliases`

Lint: check that at least one version from crates.io matches

← Metadata

Owner

Metadata

rustsec rustsec copied to clipboard

Metadata

← Metadata

Owner

Metadata

rustsec
rustsec copied to clipboard